Hackers stole $45 million in ATM card breach

May 10, 2013
|

In this Saturday, Jan. 5, 2013 file photo, a person inserts a debit card into an ATM machine in Pittsburgh. A gang of cyber-criminals stole $45 million in a matter of hours by hacking their way into a database of prepaid debit cards and then draining cash machines around the globe, federal prosecutors said Thursday, May 9, 2013. / Gene J. Puskar AP

by Kevin McCoy, USA TODAY

by Kevin McCoy, USA TODAY

NEW YORK - They didn't use guns, masks or even threatening notes passed to bank tellers.

But an alleged international gang of cyberthieves managed to steal $45 million from thousands of ATMs in carefully coordinated attacks conducted in a matter of hours, federal authorities charged Thursday.

A four-count indictment unsealed in Brooklyn charged that eight members of the alleged gang's New York City crew alone stole approximately $2.4 million from nearly 3,000 ATMs across the metropolitan area in secret strikes carried out on two days in February.

"In the place of guns and masks, this cybercrime organization used laptops and the Internet," said Brooklyn U.S. Attorney Loretta Lynch as federal authorities announced details of one of the largest 21st century versions of cyber-robbery yet uncovered. "Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMS."

Federal prosecutors and investigators said the alleged attacks are known in the cyberunderworld as "Unlimited Operations" - because using sophisticated computer-hacking techniques enable those involved to gain access to virtually unlimited criminal proceeds.

The schemes involve hacking into the computer systems of credit card processors, stealing information involving prepaid debit card accounts and eliminating the withdrawal limits and balances of those accounts. The moves enable international organized crime cells that work in swift, surgically coordinated attacks to withdraw unlimited amounts of cash from ATMs before the operations are shut down.

According to the indictment, the alleged gang carried out two lucrative unlimited operations between October 2012 and last month. In the initial attack, hackers working with the gang on Dec. 22 allegedly targeted a credit card processor that handled prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah, a United Arab Emirates bank also known as Rakbank

After penetrating the processor's computer network, the hackers fraudulently manipulated the balances and withdrawal limits on Rakbank prepaid debit card accounts. Then, teams of so-called cashers allegedly launched carefully timed attacks that caused more than $5 million in criminal losses from more than 4,500 ATMs in about 20 countries.

In just two hours and 25 minutes, the thieves allegedly conducted 750 fraudulent transactions that withdrew nearly $400,000 from approximately 140 New York City ATM locations, according to prosecutors and the indictment.

The alleged second unlimited operation unfolded between the afternoon of Feb. 19 and the pre-dawn hours of the following day. This time, the gang's hackers allegedly compromised computers of the processor of prepaid debit cards for the Bank of Muscat, located in Oman.

In approximately 10 hours, casher cells in 24 countries conducted approximately 36,000 ATM transactions worldwide, withdrawing an estimated $40 million, the indictment charged. The haul included $2.4 million withdrawn by the alleged New York crew.

Authorities in more than a dozen countries around the world are working with U.S. counterparts on the investigation. The allegations announced Thursday did not identify the suspected mastermind leading the cyberattacks or the suspected computer hackers.

However the indictment charged the gang's New York group was headed by Alberto Yusi Lajud-Pena, 23, who was also known as "Prime" and "Albertico." He and gang confederates Elvis Rafael Rodriguez, 24, and Emir Yasser Yeje, 24, allegedly laundered hundreds of thousands of dollars stolen from the ATMs by depositing the cash in bank accounts and using the money to buy luxury cars and expensive watches.

In a single transaction, a total of nearly $150,000 in $20 bills was deposited in a Miami account controlled by Lajud-Pena, the indictment charged. He was found murdered in the Dominican Republic last month, authorities said.

Federal authorities have so far seized hundreds of thousands of dollars in cash and bank accounts, two Rolex watches and a Mercedes SUV. They are also seeking forfeiture of a Porsche Panamera, which, like the SUV, was allegedly bought with money stolen in the cyber scheme.

In all, seven of the eight suspected members of the gang's New York crew have been arrested and indicted on charges of conspiracy to commit access device fraud, money laundering conspiracy and money laundering. If convicted, they would face a maximum 10-year prison terms on each money laundering charge, 7.5 years on the access device fraud count and up to $250,000 in fines.